Copyright © FireEye, Inc. All rights reserved.1 Copyright © FireEye, Inc. All rights reserved.1
EMAIL THREAT PREVENTION (ETP)EMAIL DETONATION ENGINE WITH ANTIVIRUS AND ANTISPAM CAPABILITIES
ETP SUPPORTS O365 AND GMAIL
TECHNICAL OVERVIEW
Copyright © FireEye, Inc. All rights reserved.2
W H Y F I R E E Y E
WentPublic2013
AcquiredMandiantDECEMBER2013
AwardedSAFETYActCertificationbytheDepartmentofHomelandSecurity
3700Customers
67Countries
675OftheFortuneGlobal2000
FireEyefoundedbyAshar Aziz2004
1STCYBERSECURITYCOMPANY
MandiantfoundedbyKevinMandia2004
IssuedtheAPT1Report2013
$1B+Cashonbalancesheet
iSightpartners foundedbyJohnWatters2006
Copyright © FireEye, Inc. All rights reserved.3
• Executes email attachment(s) in virtual machine to detect hidden malware
• 30+ file types supported
• Detects and blocks malicious URLs by leveraging FireEye Threat Intelligence and data from the entire FireEye ecosystem
MVX
MVX
Effective Detection and Blocking of Spear Phishing Emails
Copyright © FireEye, Inc. All rights reserved.4
LOWFALSEPOSITIVES
HIGHACCURACY(LOWFN)
28of53ZERODAYSDISCOVEREDBYFIREEYEWITHTHISTECHNOLOGY
DEPLOYEDINLINETOIMMEDIATELYBLOCKTHREATS
DODETONATIONINMULTIPLEWINDOWANDOSXENVIRONMENTS
FLOWSORFILESARETESTESAGAINTSMULTIPLEVERSIONSOFTHESAMEAPPLICATION
PURPOSE-BUILTFORSECURITYHARDENEDHYPERVISOR
MULTI-FLOWMULTI-VECTOR
SCALABLEEXTENSIBLE
MVX
M V X M U L T I - V E C T O R A N D M U L T I - F L O W T H R E A T D E T E C T I O N A N D P R E V E N T I O N E N G I N E
Copyright © FireEye, Inc. All rights reserved.5
Actionable Context with Advanced Threat Intelligence (ATI)
Risk Level
Attribution
Mitigation
Kill Chain
Copyright © FireEye, Inc. All rights reserved.6
Broader Protection with Dynamic URL Analysis
EX retrieves file and performs dynamic
analysis
3
EX analyzes URL to determine if URL points
to a file
2
EX extracts URL from email
1
If file is malicious, email is quarantined
4
http://example.com/clickme
http://example.com/afile.pdf
Internet
MVX
1 2
3
Quarantine
4
MVX ATI
ETP
Copyright © FireEye, Inc. All rights reserved.7
Deeper Protection with FireEye Advanced URL Defense (FAUDE)
EX checks threat intel if suspicious URL is known to be
malicious
1
End user redirected to Malicious URL Lookup Server
upon link click
4
URL is rewritten and email delivered to prevent delays (in-
line deployments only)
3
Unknown URLs submitted to Deep URL Analysis
2
Based on results of lookup, URL access either allowed,
warned or blocked
5
http://example.com/clickmeFireEye Threat
Intelligence
DTI
MVX
1
3
Allow
Warn
Block
Deep URL Analysis
Malicious URL Lookup Server
http://example.com/clickme
https://protect.fireeye.com/url?abc
2
4
5
Email ServerNote: Advanced URL Defense requires two-way threat intel subscription
MVX ATI
ETP
Copyright © FireEye, Inc. All rights reserved.8
• Protects against common evasion technique of password-protecting PDF and MS Office files in email attachments
• Identifies potential password candidates within email body
• Determines password based on PDF and password candidates
• Supports detection of English, Asian and Cyrillic passwords
• Supports ability to decrypt password protected .7zarchive files and base64 encoded files
• Allows customers to add/remove custom password candidates
Reduced Evasion with Password Protected File Analysis
Copyright © FireEye, Inc. All rights reserved.9
Defend Individual Logins with Credential Harvesting Protection
• Utilizes URL analysis, message content analysis, image recognition and HTML emulation to detect and stop sophisticated credential-phishing attacks
User Credentials Compromised
Initial URL Not Malicious
‘Post’ action is malicious
Copyright © FireEye, Inc. All rights reserved.10
Reduce Spoofing with Detection of "Like but not Equal" Domains
• Inside an email, there are links which are not malicious, but they can be phishing attacks, where the domain name has been altered to look like a well-known domain
• Implemented for both sender domains and URLs
• Example: weIIsfargo.com vs wellsfargo.com
These are capital ‘i’s
Copyright © FireEye, Inc. All rights reserved.11
ETP extends interactions with multi-stage malware to better identify malicious behavior• Serves honey objects for first stage downloaders• Renders honey binaries and checks for callback detection
Stop Evasion with Multi Stage Detection
1 File is opened 2 Macro runs & requests file…requests additional fileand then another additional file
3 Requested file executes and infects local system
http://
Copyright © FireEye, Inc. All rights reserved.12
Advanced Email Protection from the Cloud
Detection and Prevention• Delivers the same comprehensive detection
capabilities as FireEye EX appliances, but hosted in the cloud
• Analyzes both attachment and URL• Correlates threat intelligence from NX
platform with URLs in email• Integrated Advanced Threat Intelligence (ATI)• Anti-virus and anti-spam (AV/AS) option
Easy to Manage and Operate
• No equipment to install or maintain
• Works with both on-premise and cloud-based MTAs
• Customer management portal
• Real-time alert notifications
• Summary and detailed alerts with forensic information
• SOC2, Type II data centers in North America and Europe; Asia 2017
Copyright © FireEye, Inc. All rights reserved.13
Leveraging intelligence from NX to detect and stop spear-phishing emails• On-premise NX appliances
notify ETP of malicious URLs• NX – ETP communicates
through password-protected XML over HTTPS
• ETP correlates and marks previously seen emails with malicious URLs as malicious
Real-Time Intelligence Sharing
Spear Phishing Email
Malicious, never seen before URL
1
User unknowingly visits malicious URL
2
NX determines URL is malicious
3
NX securely notifies ETP of malicious URL
4
MVX ATI
ETP
Copyright © FireEye, Inc. All rights reserved.14
Cloud Email ServicesETP
ETP integrates seamlessly with other cloud email services such as Microsoft Exchange Online (O365) and Gmail
End User
Integration with Cloud Email Services
ATIMVX
Copyright © FireEye, Inc. All rights reserved.15
BCC Email Flow
Incoming email from Internet reaches customer MTA (with AV/AS)
Customer MTA, configured with BCC transport rule, also forwards a copy of email to ETP for analysis
Admin receives alerts through email and can manage alerts via the ETP web portal
Customer MTA delivers email to end users
ETPCustomer MTASMTP with TLS
1 2 3 4
MVX
Copyright © FireEye, Inc. All rights reserved.16
Inline Email Flow
Incoming email from Internet reaches ETP Cloud
ETP analyzes email, quarantines malicious emails, alerts admin
Safe emails forwarded to customer MTA for end-user delivery
Admin can manage alerts/release emails via the ETP portal
SMTP with TLS
Quarantine
Requires pointing MX record to ETP
1 2 3
4
ATI
ETP
MVX
Copyright © FireEye, Inc. All rights reserved.17
Inline Deployment Options
With Third Party AV/AS
End UserETP
Cloud/on-premise Email Services
MX record points to ETP Cloud
End User
Cloud AV/AS
Cloud/on-premise Email Services
MVX ATI
MVX ATI
ETP
Copyright © FireEye, Inc. All rights reserved.18
FireEye Email Security Benefits
• Flexible deployment models • Real time, automated protection from spear-phishing and other socially-engineered attacks
to minimize impostor ‘calls to action’• Industry-leading detection of and protection from advanced threats to safeguard business
assets• Comprehensive, contextual threat intelligence to maximize effectiveness of scarce security
practitioners• Protection from hard to detect multi-vector, multi-flow attacks
Copyright © FireEye, Inc. All rights reserved.19
Email Cloud Infrastructure
Availability
Connectivity
Security
Management
• Warm standby failover across multiple data centers (2x Gov Cloud; 2x NA; 2016: 2x EMEA; 2017: 2x APJ) with validated Disaster Recovery process
• No loss of email, marginal delay in quarantine access • High Availability components in each DC; resilience during software upgrades or software component failures• 2n + 2 power redundancy• Elastic MTA redundancy
• Redundant ISP circuits• Multi-gigabit links• Current utilization levels well below 30%
• Public internet access protected with Web Firewall, IPS, Firewall• Logical and physical access governed by SOC 2 Type II (report separately available with NDA)• GovCloud FedRAMP certification 1H17• Periodic security audits and penetration testing• Only quarantined emails/attachments are stored with logical separation between customer data• 24x7 follow-the-sun support • Automated configuration framework to ensure code and configuration consistency; facilitate horizontal scaling• Staged rollout to ensure quality and stability• Centralized logging support via SIEM notification forwarder (logstash)
Copyright © 2016, FireEye, Inc. All rights reserved. CONFIDENTIAL
Cloud Infrastructure Certifications
• Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy
• Intended to meet the needs of a broad range of users • Reports use the AICPA Guide and are intended for use by stakeholders the service
organization that have a thorough understanding of the service organization and its internal controls. These reports can form an important part of stakeholders:
• Oversight of the organization• Vendor management program• Internal corporate governance and risk management processes• Regulatory oversight
• Type 2, report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls
Copyright © FireEye, Inc. All rights reserved.21
THANK YOU